[00:19.640 --> 00:22.000]  It's been a long minute.
[00:27.010 --> 00:29.470]  Okay, looks like we're good.
[00:30.490 --> 00:39.030]  So, joining me today are Trey Cohen and Brenda So.
[00:39.110 --> 00:44.530]  And I have the pleasure of congratulating you for your first time DEF CON talk.
[00:44.530 --> 00:48.430]  And with that, we have a tradition where we share a shot with the speakers.
[00:48.430 --> 00:53.430]  So, please lift your glass and welcome to DEF CON.
[01:01.240 --> 01:02.460]  All right.
[01:02.460 --> 01:03.620]  All right, yeah.
[01:05.260 --> 01:11.960]  Then you spend the next few minutes trying to get your voice back after drinking Firewall, or Firewire, right?
[01:13.460 --> 01:15.260]  I hope it's not Fireball.
[01:15.620 --> 01:21.040]  Yeah, we could actually spend a half hour talking about Fireball if you want to, that's good.
[01:21.240 --> 01:23.320]  But we actually do have a question coming in.
[01:23.320 --> 01:32.520]  So, first question is, why on earth would a public ATM system use such easily defeated systems as Windows CE 6 and triple DES?
[01:35.700 --> 01:36.220]  Well...
[01:36.760 --> 01:38.220]  You can go ahead, Brenda.
[01:38.720 --> 01:39.620]  Oh, okay, sure.
[01:39.620 --> 01:40.580]  I'll do it.
[01:42.380 --> 01:43.680]  I'll do it.
[01:43.680 --> 01:49.280]  So, I think for retail ATMs, the main consideration for them is price.
[01:49.280 --> 01:58.120]  So, like, the license for Windows CE is definitely cheaper than, like, more up-to-date, like, Windows 7 or Windows 10 ATMs.
[01:58.120 --> 02:08.700]  In fact, a lot of financial ATMs, like ATMs you see at financial institutions like a bank, they would use more up-to-date Windows software.
[02:08.700 --> 02:14.280]  As for triple DES, triple DES is more of an industry standard, I would say, for financial institutions.
[02:14.280 --> 02:15.320]  That's how they use it.
[02:16.440 --> 02:21.380]  Yeah. And, you know, we kind of touched on this in the talk, is, you know, we're...
[02:21.380 --> 02:29.740]  There's a consideration to be had where, you know, you have this device that's been built, it's been out there for years, and, you know, hasn't caused you any issues so far.
[02:30.860 --> 02:35.200]  And it's a reasonable price if you have all these systems built up around it.
[02:36.180 --> 02:48.400]  You know, if it's not something that, you know, an end user is directly affected by, at least in the immediate term of being able to see, you know, oh, this ATM is insecure,
[02:48.840 --> 02:55.440]  you know, you just assume your ATM is secure, you don't get any complaints about it, you can get it at a cheap price, just keep selling it.
[02:55.800 --> 02:59.300]  That seems to be the motivation here.
[03:00.580 --> 03:06.620]  Yeah, and if you are, like, a convenience store owner, like, looking to buy an ATM, the first thing you look at is price, right?
[03:06.620 --> 03:12.440]  Like, you don't really... like, I do not think security would be in your mind when you're purchasing...
[03:12.440 --> 03:17.540]  like, when you're just a store owner trying to purchase an ATM for customers to use.
[03:17.800 --> 03:18.360]  So hence...
[03:18.360 --> 03:19.240]  And everyone's...
[03:19.240 --> 03:20.260]  Yeah.
[03:20.400 --> 03:26.920]  Everyone's seen those videos of, like, the backhoe being, you know, pulled out to grab the ATM and dig it up and dump it in a truck.
[03:26.920 --> 03:35.220]  I know physical security is a huge consideration, but network attacks are not necessarily the biggest consideration.
[03:38.340 --> 03:39.220]  Great.
[03:39.220 --> 03:43.520]  So, looks like you guys actually are winning on YouTube.
[03:43.520 --> 03:47.240]  You've got 8,000 views on this, so it seems...
[03:47.240 --> 03:58.940]  I think everyone was waiting for that Barnaby Jones moment, which, you know, I was a little bit disappointed to see you actually letting the cash drop into the, you know, the holder.
[03:58.940 --> 04:05.240]  I imagine that was a pretty great moment to see that cash disperse, though, right?
[04:05.600 --> 04:12.820]  Yeah. Barnaby Jack was a great showman there in terms of his talking, putting this out there initially.
[04:12.840 --> 04:23.220]  So, you know, we're happy to be able to have something to try and, you know, follow up 10 years later and see, you know, are these still secure?
[04:23.360 --> 04:26.640]  And can we make a really cool demo?
[04:26.640 --> 04:35.320]  Probably not as cool, but, you know, at least try to attain the level of coolness of his talking and dumping some cash out.
[04:38.490 --> 04:43.290]  Very cool. You mentioned that the ATM was capable of TLS and SSL.
[04:43.610 --> 04:48.310]  Would the replay attacks have been possible if they had enabled that on the ATM?
[04:48.310 --> 04:53.230]  Or was this protection on for the communication with the host processor?
[04:53.230 --> 04:59.330]  So the replay attacks were for... the replays were for XFS.
[04:59.330 --> 05:06.950]  So that's a completely, I guess, separate question there in terms of, you know, doing replays.
[05:06.950 --> 05:19.500]  The replays were replaying traffic that was going on the loopback interface on the device and sending that over the network into the XFS middleware.
[05:19.500 --> 05:31.960]  But the TLS and SSL is actually for communicating up to the RMS, or not the RMS, but the payment processor, I believe.
[05:31.960 --> 05:33.380]  I'll let Brenda speak a little bit more about that.
[05:33.380 --> 05:42.140]  Yeah, yeah. TLS and SSL are for communication with a middleman between the ATM and the credit card network.
[05:42.140 --> 05:47.790]  It doesn't encrypt inter-process communication within the ATM itself.
[05:51.790 --> 05:59.650]  Cool. So Hawkeye, who did not see the full video, I share that problem with Hawkeye.
[06:00.090 --> 06:06.430]  Was there anything that you saw that you could do with the camera once you started compromising the machine?
[06:07.270 --> 06:15.210]  So the ATM that we bought, the camera is actually an extra module that cost a couple extra hundred dollars. We didn't buy that part.
[06:15.210 --> 06:19.270]  So we didn't really look at it, if that's what you're wondering.
[06:19.750 --> 06:20.870]  Gotcha.
[06:22.590 --> 06:34.870]  That is something that is a standard component on the middleware there, but in terms of how widespread that is, it's not something we're super familiar with.
[06:34.870 --> 06:39.610]  But our ATM, certainly, the base model, lowest price, did not have that.
[06:41.150 --> 06:46.910]  Yeah, at least it didn't come with a $3,000 pay per ATM.
[06:48.510 --> 07:00.910]  Great. So another question is, can you explain more about which steps in the first 40 minutes of the video are necessary to exploit the cache disperse function over port 8004?
[07:00.910 --> 07:09.070]  It seems like, for a while, you would need to upload new files and application binaries, which would direct the response to your payment processor.
[07:09.370 --> 07:20.450]  But at the end, it appeared that all you needed to do was make the cache disperse, was to connect to the network, intercept the instructions, and resend them.
[07:22.010 --> 07:33.550]  Yeah. A lot of what goes on here is, you know, there's kind of the old adage about, you know, you're not paying an automotive mechanic to hammer for, you know, an hour.
[07:33.550 --> 07:35.530]  You're paying them to know, like, where to hammer.
[07:35.590 --> 07:47.430]  So figuring out where to hammer for this ATM was a very long process, and that took a number of, you know, firmware upgrades on our end, adding our custom tools in there.
[07:47.430 --> 07:50.790]  And, you know, progress kind of came in fits and spurts.
[07:51.050 --> 08:02.910]  So, you know, Brenda discovered the RMS vulnerability, and, you know, we took that and kind of were able to build an exploit around that.
[08:02.910 --> 08:11.810]  The XFS stuff was largely built on the ladder block and the debugging capabilities we developed there.
[08:12.030 --> 08:23.870]  So being able to debug things, being able to figure out, you know, that these messages are going over the loopback interface, and being able to capture those was a whole process that took quite a while.
[08:23.870 --> 08:29.730]  But then, at the end of the day, you're just sending a single TCP packet over the Ethernet interface.
[08:31.210 --> 08:37.270]  As for the function that we find in IDA and the binary, that's more for an exploratory process.
[08:37.570 --> 08:40.910]  So the cache dispense or the print receive function doesn't just do what it does, right?
[08:40.910 --> 08:44.330]  There's a lot of setup involved, like, there's a lot of checks, etc.
[08:44.710 --> 08:50.990]  So it doesn't really work well for, like, a direct injection, as elegant as the vulnerability that Trey has found.
[08:50.990 --> 08:58.170]  But that helped us a lot in understanding how the ATM internals work, like, how, like, the processes communicate with each other, etc.
[08:59.730 --> 09:12.010]  So, follow-up on that. Do you think that the understanding you were able to glean from doing that sort of reverse engineering on it, how much of that do you think transfers to the Windows 10 higher-end machines?
[09:14.750 --> 09:16.050]  That's a good question.
[09:17.110 --> 09:23.590]  So the vulnerability, so what matters, you're talking about the difference between the OSs, right?
[09:23.590 --> 09:28.570]  So the OS, I would say that the OS and the application binary are separate.
[09:28.750 --> 09:39.890]  So everything that we found, every vulnerability that we found is in the application side, and none of them relates on a kernel, like, depends on a kernel exploit.
[09:40.190 --> 09:42.050]  So you can look at it like that.
[09:42.050 --> 09:51.790]  And also, if you're talking about Windows 7 and Windows 10, we're talking about financial institutions that probably, like, poured in hundreds of thousands of dollars into securing their framework.
[09:51.790 --> 09:56.470]  So I think it'll be interesting, but I'm not sure. We don't really have banks.
[10:00.290 --> 10:05.430]  There's no asterisk to that, you know, so don't come after us.
[10:06.730 --> 10:09.190]  I think, you know, that's a good point.
[10:09.190 --> 10:24.370]  A lot of, at least in terms of the XFS vulnerability, that will depend on how much of their middleware is portable between the retail versions of the ATMs and the financial versions of the ATMs.
[10:24.370 --> 10:29.710]  How much of that codebase is shared? Was there some refactor that happened along the way?
[10:29.710 --> 10:45.170]  That's not something we have the resources to answer. We don't have these very large, expensive ATMs. We're focusing on these slightly more accessible ATMs that are, you know, a couple thousand, thousands of dollars.
[10:45.630 --> 10:57.350]  Yeah, and even if we have the money, I don't think they would sell it to us. Can you imagine just calling a mom and saying, I want a financial ATM for 10 grand. They ask you, what is it for? And then you don't know what to answer, right?
[10:57.630 --> 11:07.710]  But for the retail ATMs, you find, like, a distributor and just say, I want an ATM. And there you go. One showed up at the office.
[11:09.610 --> 11:26.970]  And we also actually asked, we tried to purchase a license for the remote management software, but I think by that point they were kind of questioning why we would want to buy the remote management software and chose not to sell it to us.
[11:27.670 --> 11:32.790]  But we were able to buy numerous ATMs just by going to this ATM distributor.
[11:33.550 --> 11:41.130]  Wait, sure. Did you find a copy at the, what was it called, Wayback Machine? Like a copy of the RMS service?
[11:41.130 --> 11:58.830]  So there is an older version of the software that you can find with a lot of work. This is not something I was able to find very easily, but there is something on the Wayback Machine where there is an error of this software.
[11:58.830 --> 12:08.310]  I couldn't actually get it to work with our ATM, so I'm not sure how useful that would be.
[12:12.040 --> 12:21.340]  Cool. So on the admin page, the ATM, did it have any ways to kind of harden the security, like requiring a larger pin or anything like that?
[12:25.440 --> 12:38.220]  I think if the password is longer, maybe. But if you also think about the ATM inputs, it's just like a 10, there's only so many keys you can input, right? Like it's 1, 2, 3, 4, 5, 6, 7, 8, 9, and 0.
[12:38.580 --> 12:50.940]  So it would be within the numeric range. But I think the security on that part is if you spend a lot of time just standing in front of the ATM and inputting every single key,
[12:50.940 --> 13:01.200]  it will look suspicious at one point. But I don't know, but then the thing becomes whether someone actually comes up to you and asks you, why are you spending so long at the ATM?
[13:04.620 --> 13:18.560]  Yeah, and again, there is that option for things like TLS and SSL, but securing it from an end user coming up and trying to just guess the password to administrate the ATM,
[13:18.560 --> 13:26.520]  that's not something that seems to be much of an option beyond a six-digit numeric passcode.
[13:30.000 --> 13:52.680]  Great, so one thing, you mentioned the initial research occurred over 10 years ago. Were you surprised that you were still able to fuzz that RMS after it was already exploited?
[13:54.020 --> 13:56.600]  Can you ask the question again?
[13:59.720 --> 14:18.860]  Yeah, I'm still learning English, so I'm not sure I can, but what I was trying to ask was, were you surprised you were able to fuzz and find something in RMS even after that was the specific path that was exploited over 10 years ago?
[14:19.580 --> 14:32.100]  Yeah, we're pretty surprised. Actually, we did the reversing independently because at that time we couldn't find any information, so we just put our efforts, used all the tools that we had and reversed it for two weeks, right?
[14:32.100 --> 14:46.280]  And then afterwards, we found Barnaby Jack's IOactive documents on the RMS protocol and how he exploited it, and when we looked at the two package structures that we found,
[14:46.280 --> 14:56.680]  they're exactly the same, and the obfuscation or the encryption techniques are also exactly the same, so that was kind of surprising. I would have thought that something would have changed, but it didn't really.
[14:58.460 --> 15:10.740]  Yeah, and that initial vulnerability was patched, although this was still something that was a bit of a separate issue that we discovered.
[15:13.160 --> 15:22.160]  All right, so we have a question from the audience. Do you plan on continuing your research, and if so, would you play at the payment processor level if you had a way to get a hold of the right folks?
[15:26.420 --> 15:37.200]  Payment processor... that would be interesting to look at, because when we were looking at the admin screen, the protocol that we reverse-engineered is not the only protocol that is there.
[15:37.200 --> 15:48.380]  There are different kinds of standards for different kinds of payment protocols. I don't know why they need so many. There's four in total. I don't know why they need so many, but it's just there, so I think it would be interesting to look at those.
[15:50.060 --> 16:04.160]  Yeah, that could be an interesting avenue. We started looking into a few other ATMs, but that's a whole other initial reverse-engineering effort that we want to undertake.
[16:05.400 --> 16:16.100]  We actually stuck to this line of ATM, and the software between the smaller ATM and the larger one that we have is exactly the same, so that was very portable.
[16:17.780 --> 16:29.120]  Yeah, and if you look at... I think on one side of the PowerPoint, we show that the two ATMs use the same firmware, but there are also other ATMs that also use the same firmware.
[16:29.200 --> 16:39.760]  So the vulnerability that we find don't just affect the two ATMs specifically, but it affects every single ATM that uses that exact firmware update.
[16:43.660 --> 16:56.220]  So one thing that came to mind when I watched the video was, I was wondering if your intern locking the key in was by design just to increase the challenge or just an accident.
[16:56.760 --> 16:59.340]  Oh, that was an accident.
[16:59.340 --> 17:15.280]  Yeah, that was not a fun afternoon to realize that you have an ATM, and the only thing that can open it is the second side of it, and the key, ordering it online while we're at it for another week or at least a few days.
[17:15.280 --> 17:20.120]  So it's not great when you have a deadline for a CTF coming up there.
[17:23.520 --> 17:37.740]  It's our initial effort. I think it's like a month in, and then we have a deadline. And then we just had so much reverse engineer efforts done at that stage, and I really need to do the firmware update, and some intern just locked it in there.
[17:37.740 --> 17:49.200]  I think I got pretty pissed during that time. And that's why we spend so much effort. I can't wait. I have a deadline in two days. I can't wait for Amazon to come. I can't do firmware updates for two days.
[17:49.200 --> 17:53.080]  We bought a lock picking kit.
[17:54.440 --> 17:55.700]  Tubular locks.
[17:55.940 --> 18:04.600]  Yeah, it doesn't come on time, and that's why we're printing the ATM keys. We just need to unlock it somehow.
[18:05.260 --> 18:11.020]  Yeah, I was trying to chip away at some of the plastic on there and see if we could fish the key out from the inside.
[18:11.960 --> 18:27.380]  Ang was like, yeah, you know, we've got 3D printers. We've got pretty nice 3D printers at the office. So he just went in and, you know, there's tubular lock keys you can download on Thingiverse or wherever we posted that from.
[18:27.840 --> 18:40.740]  Just set what the pin should be, which on some keys is just written on the top of the key. So you can do an image search or a search online for this key and then the combination is just right there on the key.
[18:42.020 --> 18:46.700]  Wait, Richard, didn't you open it with a claw tanger at one point?
[18:47.480 --> 18:49.780]  There are other ways into the ATM.
[18:53.460 --> 18:56.020]  I'll leave it at that. There are other ways into the ATM.
[18:57.440 --> 19:00.000]  So intern still with you or not?
[19:00.220 --> 19:01.980]  Oh yeah, he's full time.
[19:06.020 --> 19:07.860]  Living inside the ATM.
[19:10.020 --> 19:13.560]  I don't think you could fit someone in there. Maybe in the vault.
[19:14.720 --> 19:17.960]  Yeah, maybe. Oh, yo, I think we could.
[19:19.380 --> 19:21.120]  Do you want to volunteer for that?
[19:21.120 --> 19:21.840]  No.
[19:21.840 --> 19:27.880]  I think I'm the smallest person physically at a company. I still don't want to do that.
[19:30.280 --> 19:33.800]  Pepper would fit. The office size.
[19:37.780 --> 19:51.820]  So we actually have another legit question. It said, looking at the different parties involved, do you know who would be on the hook for lost cash if someone did such an attack from buying your ATMs? How are the contracts structured?
[19:53.300 --> 19:55.080]  It's a great question.
[19:56.100 --> 20:05.820]  The ATM industry, I think based off of what I've been looking at online as an end user, there's a couple of different ways you can go about buying an ATM.
[20:06.140 --> 20:17.100]  You can be the one who physically owns the ATM and you do everything yourself, reloading cash, updating the software, connecting it to a payment processor, all of that.
[20:17.640 --> 20:27.600]  Or you can go to a payment processor and sometimes they have partnerships where they'll make it easier to onboard and get things going.
[20:27.600 --> 20:34.620]  Or you can just say, I have this spot. I want an ATM. I don't want to buy the ATM. I just want to cut off the top.
[20:34.620 --> 20:39.940]  And whoever puts one ear, you know, you can take a cut off the top as well. So we'll kind of split that.
[20:40.540 --> 20:54.880]  But, you know, there's different ways the ownership model for ATMs works. So it would depend on that. But as far as who's actually liable, that's not something I necessarily have the business insight to answer.
[20:56.200 --> 21:03.140]  Yeah, we focused more on the technical part. We didn't really look at the legal and the economic implications.
[21:06.560 --> 21:21.520]  Sure. So kind of looking ahead, what kind of things should the community take from your research and where can they take this kind of thing to the next step in taking a look at ATM security?
[21:22.060 --> 21:32.120]  Which direction should we all be going after we get our ATMs delivered to our house?
[21:33.800 --> 21:42.340]  So what we did is actually... if you look at the actual vulnerability itself, right, what we did is not that difficult. We didn't discover like...
[21:43.320 --> 21:53.660]  Buffer overflow is not... we're not the first one to discover buffer overflow. We're not the first one to discover that, you know, you shouldn't broadcast your IPC communication.
[21:53.660 --> 22:05.560]  Right. So even though reverse engineering took a very, very long time, the actual vulnerability discovery took around like two months or so. And we're pretty new at that as well.
[22:06.020 --> 22:18.620]  So I think for next steps, maybe we can look at other attack vectors other than network-based attacks or to actually delve deeper into network-based attacks and see how one could attack that.
[22:19.240 --> 22:29.320]  Yeah. And as an end user, as a consumer of ATMs, it's hard for you to have a voice in this power structure to say, you know, to demand security.
[22:29.800 --> 22:38.960]  Normally, this is not something where you can go online and just navigate to a different website. This is like a real world physical thing where you're kind of stuck with what's in front of you.
[22:38.960 --> 22:51.620]  So being able to tell a shop owner, hey, you know, this ATM is out of date, you know, you should update your software. That's a little difficult because, you know, it's not advertising necessarily what software version is running.
[22:51.620 --> 23:03.740]  It's not saying, you know, I'm a Windows 66 device, which has been past the extended support end of life for a couple of years now.
[23:04.460 --> 23:19.100]  It's a difficult problem. But, you know, raising awareness in the community about that and letting people be able to stop and think before you use an ATM, which you should do regardless, you know, with the proliferation of card scanners and everything out there.
[23:19.100 --> 23:28.680]  But being discerning in terms of how you use ATMs is a difficult thing. And it's not an easy problem to solve.
[23:28.680 --> 23:36.600]  But just having that voice in the back of your head saying this could be out of date, this could be having issues is a good first step.
[23:40.660 --> 23:56.200]  So just a follow up to that. I mean, I think, you know, as you said, it's not like a small business owner can just go, you know, go switch to a different one overnight or even get the insight into something before they make the purchase.
[23:57.300 --> 24:08.080]  You know, as a consumer, did you really... it seems like the stuff you found wasn't necessarily a risk to the consumer as much as it is to the owner of the ATM.
[24:08.440 --> 24:14.320]  So, you know, you mentioned card skimming, but is there really anything you found that consumers need to be worried about?
[24:15.500 --> 24:22.840]  So for the exploit that Brenda focused on, the RMS exploit, the one that she discovered, that allows for arbitrary code execution.
[24:23.280 --> 24:31.440]  And the implications of that, you know, it depends on how far your imagination can take it and how creative the attacker can get.
[24:32.540 --> 24:38.040]  So, you know, I'll hand it off to her. That's really more her spot to talk about.
[24:38.960 --> 24:43.980]  It depends. We're talking about how a consumer can be affected, right?
[24:43.980 --> 25:02.880]  Like, I believe in our demo, we demonstrated that you can, like, an attacker can extract information from, like, their magnetic strip or the credit card chip of their cards when they insert it and try to just, like, check for the balance or withdraw money.
[25:02.880 --> 25:11.460]  So on the consumer's side, what's going to affect them is that their data would be compromised, right?
[25:11.460 --> 25:27.540]  Because, like, the pin is encrypted, triple-desk. I mean, like, even though it's deprecated, it still takes a while to decrypt, sorry, crack the triple-desk, like, triple-desk pin number.
[25:27.540 --> 25:33.180]  Just like your credit card information, every bit of information for a credit card chip can be extracted.
[25:39.900 --> 25:40.860]  Yeah.
[25:42.660 --> 25:44.360]  I think you're on mute.
[25:44.880 --> 25:45.960]  Yeah, sorry.
[25:47.120 --> 25:48.860]  Indeed, I am on mute.
[25:48.860 --> 26:02.580]  So, and back to the physical security kind of aspect of this, based on the simplicity of those two locks that you encountered, do you think the ATM manufacturers should start installing more complex locks?
[26:02.740 --> 26:11.280]  Or do you see a purpose for the locks that they choose? Like, why would they go with this if there are more secure options out there?
[26:11.840 --> 26:22.700]  You know, sometimes you want to have a key that's keyed alike. You know, you want to be able to, you know, take a single key around and unlock numerous locks and be able to buy more of these locks that are all keyed in the same way.
[26:22.700 --> 26:42.080]  But the issue here is that every single ATM of this model, the top compartment, we show the separation between the top of the ATM, which has all the electronics and the main circuit board with the computer, and the bottom part of the ATM, which has the cash dispenser and the cassettes with all the cash in them.
[26:42.080 --> 26:54.620]  The top part, all the keys are the same. So, you know, really the first step there is making this not be a commonly available key that anyone can just buy.
[26:55.820 --> 27:12.000]  So, you know, the bottom of the ATM certainly is quite a bit more secure. You have different keys, I believe, and you have the electronic lock on the ATM itself. So there's quite a bit of extra steps taken there to protect the cash.
[27:12.000 --> 27:29.440]  But in terms of the main components there, that step would still be likely a good one to take to change out the cores and make different keys for different ATMs.
[27:33.120 --> 27:38.570]  Cool. Did you guys work on any chip-based ATMs during your research?
[27:40.710 --> 27:41.990]  EMB?
[27:49.660 --> 27:52.900]  Like the EMB chip, I guess, right?
[27:53.800 --> 28:04.260]  Oh, yeah. So our ATM supports both chip and magnetic strip. It's just an option that you set on the ATM side of things.
[28:04.860 --> 28:16.180]  And if you're wondering whether your chip is encrypted, the answer is it's encrypted with TS or SSL if you enabled it. But if you don't enable it, it's just plain text.
[28:20.620 --> 28:42.880]  Okay. Well, we have just a couple more minutes left. I want to thank you guys for your hard work and the effort you've all put into this. Fascinating stuff. I actually ran Barnaby's talk a while ago. It's kind of depressing that it's been 10 years. My goodness.
[28:44.020 --> 28:55.180]  But it's good stuff. Congratulations to both of you. Is there anything else that you guys want to add for everybody that's come out to ask you some questions and everything like that?
[28:58.490 --> 29:01.930]  I'm going to share my Twitter handle if you have something to ask.
[29:08.390 --> 29:13.070]  If you have any questions, you can DM me. I'll be happy to answer any questions you have.
[29:16.110 --> 29:19.750]  Same. I guess they're on the DEF CON website.
[29:21.630 --> 29:31.610]  Yeah, ATMs are a fun target and it's been fun being able to work at this at Red Bull and over the past year and a half.
[29:32.190 --> 29:33.570]  Year, year and a half.
[29:34.770 --> 29:37.430]  These are interesting targets.
[29:39.790 --> 29:55.750]  We're happy to be able to share this and demonstrate that these devices are out there. It's not something you can just go out on a whim and install in your own home, although there are special individuals who have taken those steps.
[29:55.750 --> 30:00.150]  But these are fun devices to work with.
[30:01.290 --> 30:11.630]  Like a lot of things, they benefit from not being as scrutinized by end users. It's more of a thing where you say, I want this.
[30:11.630 --> 30:23.130]  As a Bodega owner, as a gas station owner, you just get this ATM and you don't have to ask too many more questions, as long as it doesn't just pop the vault open and spill out some cash.
[30:23.130 --> 30:37.910]  Generally, that's enough for most people, but these devices are something that deserve being looked at through the network layer and seeing how they interact and which open ports they have.
[30:37.910 --> 30:44.310]  It's just a simple question to ask that yields a lot of information about the security of the device.
[30:46.190 --> 30:57.110]  So we have one last minute question, if you guys are game. Should the penalties for non-EM, EVM implementations be higher? They're currently very low.
[30:58.490 --> 31:15.450]  It's a good question. I think a lot of payment processors actually require EMV nowadays. I know that there's some requirements by some companies or financial institutions. I'm not quite sure how that works.
[31:17.030 --> 31:24.190]  I think it's fairly widespread, at least in terms of what I've seen. Brenda, does that mirror your experience?
[31:24.930 --> 31:43.650]  Yeah, most ATMs I've seen uses EMV, at least the ones I've seen, right? But the fallback, if your EMV doesn't work, the fallback would be a magnitude shift, which goes back to the same original problem.
[31:43.990 --> 31:55.430]  Great. Well, I appreciate you guys being generous with your time, and I appreciate you guys joining us today. And thank you for all the questions from the field, and we hope to see you guys back with more research in the future.
[31:56.510 --> 31:57.790]  Glad to be here.
